CVE-2024-7344 (INSYDE-SA-2024021)
Closed this issue · 5 comments
Splitting this out from #63.
INSYDE-SA-2024021 is GHSA-7xfj-4r7x-3733
This is not a vulnerability in Insyde BIOS, it's a third party application that's signed by the Microsoft UEFI keys.
Because we include the Microsoft public keys to be able to boot Windows, we are vulnerable to that.
The mitigation is simple, in future updates we will include dbx entries to blacklist this third party application.
But before that, it's also really easy to mitigate:
For Windows users the 2025 January 14 Update includes a DBX Update
For Linux users DBX can be updated using LVFS and an updated one is already available: fwupd.org/lvfs/devices/com.microsoft.dbx.x64.firmware
For LVFS/FWUPD, see: https://blogs.gnome.org/hughsie/2025/01/20/fwupd-2-0-4-and-dbxupdate-20241101/
I'm trying with 2.0.8 on Framework 13 (13th Gen Intel Core).
First checking the currrent DBX:
> fwupdtool get-devices --plugins uefi-dbx
Loading… [************************************** ]
Framework Laptop (13th Gen Intel Core)
│
└─UEFI dbx:
Device ID: 362301da643102b9f38477387e2193e57abaa590
Summary: UEFI revocation database
Current version: 20230501
Minimum Version: 20230501
Vendor: UEFI:Microsoft
Install Duration: 1 second
GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64
Device Flags: • Internal device
• Updatable
• Supported on remote server
• Needs a reboot after installation
• Cryptographic hash verification is available
• Device is usable for the duration of the update
• Only version upgrades are allowed
• Signed Payload
• Can tag for emulation
Now updating:
> sudo ./venv/bin/fwupdtool get-updates --plugins uefi-dbx
Loading… [************************************** ]
Framework Laptop (13th Gen Intel Core)
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20230501
│ Minimum Version: 20230501
│ Vendor: UEFI:Microsoft
│ Install Duration: 1 second
│ GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation
│
└─Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1 kB
Created: 2025-01-17
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: d661d4a0aaca09dfa9e56967ca2467b0575fc07cb704d182fa8c68225452957f
> sudo fwupdtool update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20241101? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ An insecure version of Howyar's SysReturn software was added, due to a ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
An update requires a reboot to complete. Restart now? [y|N]:
After update and reboot.
> sudo fwupdtool get-devices --plugins uefi-dbx
Framework Laptop (13th Gen Intel Core)
│
└─UEFI dbx:
Device ID: 362301da643102b9f38477387e2193e57abaa590
Summary: UEFI revocation database
Current version: 20241101
Minimum Version: 20241101
Vendor: UEFI:Microsoft
Install Duration: 1 second
GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
f35e120a-eb92-570d-8d38-78aa8ffdeebe ← UEFI\CRT_AD53C146418710CD810BE527FE414C8EC093BE04CE92CABBF11E7A96E4B53B4D&ARCH_X64
Device Flags: • Internal device
• Updatable
• Supported on remote server
• Needs a reboot after installation
• Cryptographic hash verification is available
• Device is usable for the duration of the update
• Only version upgrades are allowed
• Signed Payload
• Can tag for emulation
To confirm that the vulnerability is mitigated, you can do the following:
First see that the hash of the x64 Howyar executable is CDB7C90D3AB8833D5324F5D8516D41FA990B9CA721FE643FFFAEF9057D9F9E48, see microsoft/secureboot_objects
Then you can check your system does include this hash in the dbx and therefore blocks execution of that vulnerable binary.
> efi-readvar | grep -i CDB7C90D3AB8833D5324F5D8516D41FA990B9CA721FE643FFFAEF9057D9F9E48
Hash:cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48
Note that the windows and LVFS updates to DBX are NOT a BIOS update.
This makes the update process much simpler, only the EFI variable is updated and reboot is just a normal reboot.
On Windows you can check if DBX is up to date using: https://github.com/cjee21/Check-UEFISecureBootVariables
Rolled out on windows, linux and new bios versions.